Migrate to use Azure Key Vault to host SSL certificate
- Kevin He
- Alex Xie
1. Create akv2k8s namespace
kubectl create ns akv2k8s2. Install akv2k8s controller
helm repo add spv-charts https://charts.spvapi.no
helm repo update
helm upgrade --install akv2k8s spv-charts/akv2k8s --namespace akv2k8s --set controller.nodeSelector."kubernetes\.io/os"=linux --set env_injector.nodeSelector."kubernetes\.io/os"=linux3. Create Key Vault and import certificate
Create a key vault under the resource group where the AKS cluster is on.
In Networking tab, give access to the VNet that the AKS cluster is on.
Import SSL certificate to the key vault. Supported format: PEM and PFX.
4. Assign permission to AKS service identity
The akv2k8s controller needs access to your Key Vault to retrieve the certificate. It used the service principal or managed identity of the cluster to do so.
The jq tool is required to run this command: Download jq
Make sure the Get permission for certificate is assigned.
//Get object id of AKS identity
az aks show -n <clustername> -g <resourcegroup> | jq .identityProfile.kubeletidentity.objectId -r
//Assign permission
az keyvault set-policy -n <azure key vault name> --secret-permissions get --certificate-permissions get --object-id <objectId> --subscription <azure subscription>5. Create AzureKeyVaultSecret
Create a AzureKeyVaultSecret resource in the namespace you want the Kubernetes Secret to be synced.
Get name of tls secret configured in onelist ingress resource.
Create a akv-secret.yaml file with content below.
Run below commands to delete the old TLS secret and create the AzureKeyVaultSecret. If this is a new deployment, skip the delete secret command.
6. Check sync status
References:
Certificates with Azure Key Vault and Nginx Ingress Controller